[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: File watching



Michael C Thompson wrote:
Steve wrote:
Is it possible to tell if a file was opened read/write or read-only from the events generated by audit?

The record does record syscall arguments, however, so perhaps you could
analyze a1= (I believe this is the argument that passes flags), and
figure out with what flags open() was called with.

I performed an open on a file twice, the first is when the user had read/write privileges to the file and in the second the user only has read permissions. These were the a# values from the events, respectively:

a0=bfe6ac25 a1=8000 a2=0 a3=8000

a0=bfd25b55 a1=8000 a2=0 a3=8000

I'm not sure how to analyze that...

In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and O_LARGEFILE (0100000 octal, 0x8000 hex).

So you were opened as read-only. You can't determine the level of access the user has from the above, although you should be able to infer some information about it form the entire record.

Mike


The file is owned by root and the group for the file is root. The permissions are 664.

Here is the whole record for root accessing the file

audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3 a0=9a62398 a1=8000 a2=0 a3=8000 items=1 ppid=23750 pid=25063 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x/src/iitds/sensor/plugins" item=0 name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:tmp_t:s0

and for the normal user:

audit(1150830316.688:251): arch=40000003 syscall=5 success=yes exit=3 a0=8669560 a1=8000 a2=0 a3=8000 items=1 ppid=24750 pid=25069 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 comm="vim" exe="/usr/bin/vim" subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x" item=0 name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:tmp_t:s0

I am not sure why it opens the file as read-only when root opens it...

Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]